Samples

I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”:

The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware.

Opening the document confirms that it is password protected:

Inputting the password presents the victim with some instructions:

I typically scan malicious Office documents for embedded macros using tools like olevba.py and oledump.py. However, if you were do this before removing the password then you wouldn’t get any detections:

To get around this, I simply removed the password and saved the document.

Here you can see that the document is password protected, as well as various document properties like when it was created, last modified, and the author(s).

To do that, click on “Protect Document”, remove the password, click “OK”, and then save the document:

Scanning the document again shows it is a “Microsoft Word 2007+” document file using the Office Open XML (OOXML) file format. Because it’s a XML-based file, we can unzip it and look at the contents:

Unzipping the file allows you to see the contents, including the images (image1.png and image2.png) used within the document. Also, embedded macros in XML-based Office documents are typically store in a binary file named vbaProject.bin, which we can see in the “word” directory.

Using strings we can quickly examine vbaProject.bin for any interesting ASCII strings:

As you can see from the image above, strings found the command and URL used to download the malware payload.

An even better option for this scenario would be to use olevba.py:

olevba.py is handy tool because it gives analysts a table summarizing risky keywords that were found within the file. Another good option would be to use oledump.py.

Now, getting back to examining the file from the perspective of the victim… After entering the password and clicking “Enable Content” the victim’s host would make a HEAD request, followed by a GET request, for the malware payload:

You can see that the User-Agent is “Microsoft BITS/7.8”, confirming the bitsadmin tool was used to download the file. The malware payload is downloaded from the remote server and saved to %AppData% as “taskwgr.exe”.

The sample never encrypted files in my virtual lab but did encrypt files on a physical host (not mine). However, I didn’t have the time to do any further analysis so I can’t confirm how it’s detecting my virtual sandbox.

When the process is complete the desktop background will be changed to a green text message over a black background (the images below were borrowed from the Internet):

While encrypting the system, Sigma ransomware creates ransom notes named ReadMe.txtin each folder that a file was encrypted.

At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18.

Samples

I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which showed an infection chain that led to RIG EK delivering Bunitu. I decided to poke around and see what I would get. Let’s look at the HTTP traffic:

The victim’s host, who would have been redirected to a decoy site through malvertising, would then make a GET request for /click.php. Script found in page source:

<script type=”text/javascript” src=”/click.php”></script>

click.php returned the following:

After running this, we see a redirect to jhghvhbi3999[.]info GET /banners/advertising, which returns the pre-landing page:

The pre-landing page, having filtered out unwanted traffic, redirects to the RIG EK landing page. RIG EK then delivered Bunitu proxy Trojan. Hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan”.

The malware payload delivered to %Temp%:

We then see b38.exe detonated (PID: 1856) and setting the following registry keys:

Samples

]]>1malwarebreakdownhttps://malwarebreakdown.com/?p=247232018-02-26T09:37:13Z2018-02-26T09:37:13ZOver the weekend I went hunting for malvertising campaigns hoping to find something other than Seamless. However, on both Saturday (run 1 on 02-24-18) and Sunday (run 2 on 02-25-18), I ended up finding myself the victim of a Ramnit infection, courtesy of the Seamless campaign and RIG EK. I don’t have any hard data but Seamless appears to be dominating the malvertising landscape ever since the decline of HookAds.

Run 1:

This traffic is similar to what I wrote about on 02-21-18. The Seamless campaign was using LiberTex.one, which had been mirrored from LiberTex.org (legitimate site) on 02-08-18. The only change from my previous post was that the gate redirector was now located in the directory /pert/.

Run 2:

The threat actors started using IqOption.ink on 02-25-18 as the Seamless pre-gate. This site was mirrored from IqOption.com. Mirroring legitimate sites and using a different TLD seems to be a trend.

Next, we see the use of these domains for redirects:

RessAndy-ActorsIon.com (Created on 01-27-18)

Redirect.LiberTex.tech (Created on 02-09-18)

The last big change was the use of a Punycode for the Seamless gate again:

It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain:

Flowchart of the redirection chain:

One thing to note, libertex.one, which is currently resolving to 31.31.196.81 (Russian) and was registered on 02/07/2018, was mirrored from libertex.org by “HTTrack Website Copier” on February 8th, 2018. The IP address 31.31.196.81 has been used to host other Seamless gates and is worth an IP block.

Some other registrant information:

Attribute

Value

Registrar

Key-Systems LLC

Email

everydomaininplace@mail.ru

Name

Bjakas Raka

Organization

Maka Puka

Phone

5553673755

NameServers

ns1.hosting.reg.ru and ns2.hosting.reg.ru

Pivoting off everydomaininplace@mail.ru shows the following domains:

Domain

Registered On

libertex.one

2/7/2018

xnhmhtksxrafnvrdh.com

11/13/2017

shmhmhfmnxvr.com

9/21/2017

dlkorrtundbuov.com

9/19/2017

udbqsimre.com

9/18/2017

bmoqgnuyxdvtnnjnf.com

9/18/2017

saqjrigpkuins.com

9/18/2017

snxplvbkwja.com

9/15/2017

gojmwuuvmp.com

9/15/2017

elptuelny.com

9/15/2017

rjwpncspruhjnpiud.com

9/13/2017

qaskdhtuinhmmfsbcsu.com

9/13/2017

bujynaslvjlmf.com

9/13/2017

ieyiujkfdlphij.com

9/13/2017

lhbkjtineroxhd.com

9/13/2017

erwijyiyasbvfey.com

9/13/2017

javtqaxboyqyxubai.com

9/13/2017

husasoekpfigun.com

9/13/2017

cswyqievc.com

9/13/2017

lamxnulcidqxk.com

9/13/2017

iwdellebhavmei.com

9/13/2017

ffdjiuvufw.com

8/31/2017

Googling these domains returns samples, from various sources, seen making DNS queries. Those queries are associated with the DGA used by Ramnit.

The next domains used by the threat actors were distan-kenques.com and redirect.distan-kenques.com. These were first seen on 02/19/2018. Lastly, we see the request for Seamless gate 3 being hosted at gavkingate.info. The response from the gate contains an iframe pointing to the RIG EK landing page:

]]>1malwarebreakdownhttps://malwarebreakdown.com/?p=246342018-01-17T22:29:08Z2018-01-16T22:35:24ZLast week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection.

After browsing on the sketchy site, we see some traffic to buzzadnetwork.com:

Alexa shows that buzzadnetworks.com is ranked 326 globally.

The request returns a 302 Moved Temporarily, pointing to a new location at xn--b1aanbnczd5ie1bf.xn--p1ai. Punycode is being used to encode the internationalized domain name (IDN). This decodes to языковязыков.рф (using a Cyrillic country code top-level domain).

The HTTP GET request for /redirect.php?acsc=93042904 returned the following:

The time zone information, referer, etc., is POSTed back to the server:

The server responds with the following:

This causes an HTTP GET request for the resource located toturself-josented.com. The server responds with the following:

The meta refresh redirects to a resource at redirect.turself-josented[.]com. The server responds to this GET request with the location of the Seamless gate:

The threat actors behind the Seamless campaign have been using Punycode for the location of the gates for over a month now; in our example it was xn--b1aanbboc3ad8jee4bff.xn--p1ai. This decodes to языковязыковязы.рф. The meta refresh redirects to the gate and the server responds with an iframe to RIG EK:

Dropcanvas.com is a site used to transfer files between users. While not inherently malicious, file sharing sites are often abused in these types of social engineering schemes.

Clicking on the link in the email downloads PI2983793.doc, which contains an embedded VBA macro acting as a downloader.

For anyone interested, I uploaded the obfuscated macro to Pastebin. If you don’t have the time to statically analyze the macro, then there are numerous dynamic analysis techniques you could use to retrieve the malicious script.

The example below shows the VBA debugging tool built into Office being used to retrieve the PowerShell script containing the malicious URL:

Later we see u7cm.exe (PID: 5012) create “u7cm.exe” (PID: 3296) as a new process, u7cm.exe (PID: 5012) creates a log file at %LocalAppData%\Microsoft\CLR_v2.0_32\UsageLogs\ and writes to it, and then u7cm.exe (PID: 5012) kills its own process.

Next, u7cm.exe (PID: 3296) creates process eventvwr.exe, both PID 5856 and PID 6096. PID 6096, running with High integrity, creates powershell.exe (PID: 3036), which then creates process u7cm.exe (PID: 2384) with a High integrity level. An example of this can be seen in the process tree and currently running processes:

Shout-out to Vitali Kremez @VK_Intel for identifying this malware sample as Agent Tesla. According to other research done on this malware, the logged keystroke information is saved at %Temp%\log.tmp in plain-text, however, I couldn’t find similar files on my system.

Here are some additional references detailing the functionality of Agent Tesla:

Downloads

]]>1malwarebreakdownhttps://malwarebreakdown.com/?p=245262018-03-12T02:33:03Z2017-12-21T00:41:51ZA user received malspam with a .doc attachment. Static analysis of the file showed it was a Microsoft Word 2007+ document with an embedded macro located in vbaProject.bin.

The malware authors trick victims into enabling macros (Enable Content) and, to better evade sandboxes, use AutoClose to execute the macro after the file has been closed.

After closing the document, we can see the GET request to sukiebuchnieohuelivobos[.]com/AFK/lima.php?utma=versusf:

The User-Agent string used for this request was “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; InfoPath.3)”. Furthermore, you can see the script returned by the remote server in the image above.

Decoding it shows the following PowerShell command:

The GET requests are shown below:

The GET request for sukiebuchnieohuelivobos[.]com/AFK/versusf.pfx returns the malware payload:

The GET request for sukiebuchnieohuelivobos[.]com/s.php?id=versusf simply returned “tid=versusf”.

The GET request for cash4lcd[.]com/Stat.counter returned the following command:

Process 661.exe then created a copy of itself at “C:\Users\<User>\AppData\Roaming\Microsoft\BtpamRes\BthTtons.exe”:

661.exe creates a .bat file in a folder in %Temp%, writes to it, and then creates process cmd.exe. Process cmd.exe then reads from the .bat file, spawns cmd.exe as a child process, and then uses that to detonate BthTtons.exe. Process BthTtons.exe eventually deletes 661.exe.

Below is the process tree, which might give you a better understanding of what happened:

Post-infection traffic shows follow-up GET requests:

These GET requests appear to download files associated with the Tor functionality.

There is also this registry entry at HKCU\SOFTWARE\AppDataLow\Software\Microsoft\:

References:

]]>2malwarebreakdownhttps://malwarebreakdown.com/?p=240502017-11-13T15:51:46Z2017-11-12T19:02:56ZNote: I took a bit of break, but I will try to get back to posting more regularly.

Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests:

The infection chain starts off with a normal site and some ad traffic. The HTTP request for ad traffic redirects to an XML feed serving ads. The XML feed returned a 302 Found, pointing to hxxp://flinsheer-perreene[.]com/voluum/:

Typically, it would be at this point that unwanted connections would be filtered out and redirected to a benign site, however I didn’t run any further test for verification.

The server returns a 200 OK and points to the next step in the redirection chain via window.location.href=hxxp://flinsheer-perreene[.]com/voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The response to that request is shown below:

We see a meta refresh, redirecting to hxxp://kcsmj[.]redirectvoluum[.]com:80/redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=xxxxxxxxxxxxx&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&rm=x after 0 seconds (bolded string in URI is Base64 encoded).

This redirect leads to another response containing one more meta refresh:

After restarting the machine there are two more copies of the malware placed in %TEMP%:

There was also a copy in %TEMP%\Low:

Entry for “Client” found in HKCU\Software\AppDataLow\:

Creates various .log files in %LOCALAPPDATA% and %PROGRAMDATA%:

If you looked at the %LOCALAPPDATA% image you might have noticed another executable file called “APITEM.EXE”. This malware payload ended up being AZORult stealer and it was download by my infected host after the initial system restart.

Some .tempcbss files created by AZORult are located in %TEMP%:

Network Based IOCs

After the system restart we could also see the DNS queries for Ramnit DGA domains:

Successful resolutions:

ngbclncfxjdsmmribt.com – 217.20.116.140

aujastmvehxqmlbb.com – 217.20.116.140

guaevvaxrujnobfytud.com – 194.87.145.189

kofeydncog.com – 87.106.190.153

sxkallpiiknswi.com – 87.106.190.153

Callback traffic for Ramnit:

217.20.116.140:443

194.87.145.189:443

87.106.190.153:443

Below is an image of the GET request for AZORult:

Note: Further analysis of the server delivering tutu.exe shows that it’s also hosting apis.exe and 1.exe. 1.exe was identified as Teamspy (aka TVRAT, TVSPY, and SpY-Agent) and apis.exe was identified as DarkVNC (Thanks to @Antelox for identifying the payloads).

“Cookies” subfolder contains similar files as the AutoComplete subfolder

CookieList.txt

IP.txt

Passwords.txt

SYSInfo.txt

These files contain the IP address and location of the compromised machine, saved passwords, system information (Machine ID, file path of the malware – .exe or .dll, Operating System information, computer name, username, CPU information, total RAM, GPU information, system processes currently running, programs currently installed), and information used by browsers.

Due to security reasons, I will not be giving out certain samples to the public.